Lucene search
K
DevolutionsDevolutions Server

21 matches found

CVE
CVE
added 2024/03/05 9:33 p.m.70 views

CVE-2024-1901

CVE-2024-1901 describes a denial of service in Devolutions Server 2023.3.14.0 during PAM password rotation in the check-in process. An authenticated user with specific PAM permissions can render PAM credentials unavailable. The CVSS vector indicates network access, low attack complexity, and low ...

4.3CVSS6.7AI score0.00339EPSS
CVE
CVE
added 2025/05/05 2:0 p.m.64 views

CVE-2025-4316

CVE-2025-4316 describes an improper access control in the PAM feature of Devolutions Server that enables a PAM user to self-approve requests, contrary to policy. Affected versions include 2025.1.3.0–2025.1.6.0 and all versions up to 2024.3.15.0. The issue’s root cause is restricted to PAM workflo...

4.3CVSS4.5AI score0.00305EPSS
CVE
CVE
added 2023/05/02 1:11 p.m.62 views

CVE-2023-2445

Summary of CVE-2023-2445 (Devolutions Server) Affected software: Devolutions Server, versions 2023.1.1 and earlier. Vulnerability: Improper access control in the Subscriptions Folder path filter. This allows attackers with administrator privileges to retrieve usage information about folders in a ...

4.9CVSS4.9AI score0.00979EPSS
CVE
CVE
added 2024/12/04 5:18 p.m.58 views

CVE-2024-12148

CVE-2024-12148 affects Devolutions Server 2024.3.6.0 and earlier. The root cause is incorrect authorization in the permission validation component, allowing an authenticated user to access some reporting endpoints. Impact is limited to unauthorized access to reporting data as described in multipl...

4.3CVSS6.8AI score0.00357EPSS
CVE
CVE
added 2024/11/12 3:52 p.m.54 views

CVE-2024-10971

CVE-2024-10971 affects Devolutions DVLS 2024.3.6 and earlier: an improper access control in the Password History feature allows a malicious authenticated user to obtain sensitive data via faulty permissions. Red Hat and Nessus/Nessus-derived sources corroborate information disclosure in DVLS 2024...

4.3CVSS6.1AI score0.0051EPSS
CVE
CVE
added 2024/03/05 9:35 p.m.52 views

CVE-2024-1898

CVE-2024-1898 : Devolutions Server (versions up to 2023.3.14.0) has improper access control in the notification feature, allowing a low-privileged user to change administrator-configured notification settings. The root cause is access control weakness that lets non-admins modify admin-defined con...

4.3CVSS6.6AI score0.00204EPSS
CVE
CVE
added 2021/07/12 1:4 p.m.51 views

CVE-2021-36382

CVE-2021-36382 affects Devolutions Server prior to 2021.1.18 and LTS prior to 2020.3.20. The issue allows interception of private keys via a man-in-the-middle attack against the connections/partial endpoint, which accepts plaintext. Affected components and exact root cause are described across mu...

4.3CVSS4.3AI score0.00478EPSS
CVE
CVE
added 2024/04/09 7:1 p.m.46 views

CVE-2024-3545

CVE-2024-3545 involves Devolutions Remote Desktop Manager (Windows) version 2024.1.20 and earlier, and Devolutions Server version 2024.1.8 and earlier. The vulnerability stems from improper permission handling in the vault offline cache feature, which could allow an attacker with access to the in...

4.3CVSS6.7AI score0.00281EPSS
CVE
CVE
added 2026/05/22 3:28 p.m.29 views

CVE-2026-5171

CVE-2026-5171 describes improper access control in Devolutions Server’s entry activity log feature. An authenticated user with access to an entry but lacking the required permission can retrieve that entry’s activity logs via a crafted API request. Affected: Devolutions Server 2026.1.6.0–2026.1.1...

4.3CVSS5.8AI score0.00162EPSS
CVE
CVE
added 2026/05/22 3:25 p.m.29 views

CVE-2026-9224

CVE-2026-9224 : The issue in Devolutions Server allows an authenticated Active Directory user to modify their own profile attributes via a crafted API request due to missing authorization in the user profile update feature. Affected: Devolutions Server 2026.1.6.0–2026.1.16.0 and 2025.3.20.0 and e...

4.3CVSS5.8AI score0.00152EPSS
CVE
CVE
added 2026/06/08 6:26 p.m.27 views

CVE-2026-10787

The CVE-2026-10787 entry concerns Devolutions Server (versions 2026.2.4.0 and 2026.1.20.0 and earlier) where missing authorization in the deleted user groups API allows an authenticated, low-privileged user to enumerate metadata of deleted user groups via a crafted API request. The issue targets ...

4.3CVSS5.5AI score0.00155EPSS
CVE
CVE
added 2026/06/16 6:25 p.m.27 views

CVE-2026-12117

CVE-2026-12117 affects Devolutions Server 2026.2.5: improper access control in the social login connection endpoint allows an authenticated vault member to enumerate social login entry metadata they are not authorized to access via a crafted API request. CVSSv3.1 base score is 4.3 (Medium). The p...

4.3CVSS5.3AI score0.0018EPSS
CVE
CVE
added 2026/05/12 4:16 p.m.26 views

CVE-2026-8407

CVE-2026-8407 affects Devolutions Server where the PAM module’s authorization is missing. An authenticated user with a PAM license but no additional permissions can craft requests to PAM API endpoints to retrieve OTP secret keys and recovery codes. Impacted versions include Devolutions Server 202...

4.3CVSS5.8AI score0.00197EPSS
CVE
CVE
added 2026/05/22 3:21 p.m.24 views

CVE-2026-9223

CVE-2026-9223 affects Devolutions Server (versions 2026.1.16.0 and earlier) where the vault import feature has missing authorization. This allows a low-privileged authenticated user to create new vaults via a crafted import request. The provided documents do not include exploitation details, scop...

4.3CVSS5.8AI score0.00152EPSS
CVE
CVE
added 2026/05/22 3:26 p.m.24 views

CVE-2026-9246

CVE-2026-9246 : Improper access control in Devolutions Server’s entry documentation and attachment features allows an authenticated user with vault read access to retrieve documentation and attachments of sealed entries via a crafted API request. Affected: Devolutions Server 2026.1.6.0–2026.1.16....

4.3CVSS5.8AI score0.00152EPSS
CVE
CVE
added 2025/11/27 3:30 p.m.22 views

CVE-2025-13765

CVE-2025-13765 affects Devolutions Server, where email service credentials are exposed to non-administrative users. Public details in connected documents specify affected versions as before 2025.2.21 and before 2025.3.9. The issue’s root cause is credential exposure in the email service, with mul...

4.3CVSS6.5AI score0.00326EPSS
CVE
CVE
added 2026/02/24 7:1 p.m.15 views

CVE-2026-1768

CVE-2026-1768 describes a permission cache poisoning vulnerability in Devolutions Server that allows authenticated users to bypass permissions and access entries. Affected are Devolutions Server versions prior to 2025.3.15. The issue is confirmed across multiple sources and is addressed by upgrad...

4.3CVSS5.4AI score0.00224EPSS
CVE
CVE
added 2026/05/12 5:28 p.m.14 views

CVE-2026-5146

CVE-2026-5146 targets Devolutions Server. The issue is improper access control in the notification management endpoints, allowing an unauthenticated attacker to modify or delete arbitrary user notification records due to missing session validation. Affected versions range from Devolutions Server ...

4.3CVSS5.9AI score0.00162EPSS
CVE
CVE
added 2026/06/16 6:24 p.m.12 views

CVE-2026-11890

The CVE-2026-11890 entry concerns Devolutions Server versions 2026.1.21 and 2026.2.5, where improper access control in PAM account discovery allows an authenticated user to retrieve account discovery scan results. The connected documents confirm affected software and the root cause (in PAM accoun...

4.3CVSS5.3AI score0.00162EPSS
CVE
CVE
added 2026/02/25 6:29 p.m.11 views

CVE-2026-3221

CVE-2026-3221 affects Devolutions Server, specifically versions 2025.3.14 and earlier. The root cause is unencrypted storage of sensitive user account information in the database, enabling an attacker with direct database access to obtain sensitive data. Impact is information disclosure; exploita...

4.9CVSS5.3AI score0.00154EPSS
CVE
CVE
added 2026/04/01 3:7 p.m.10 views

CVE-2026-4989

The CVE-2026-4989 entry describes a vulnerability in Devolutions Server where improper input validation in the gateway health check enables a low-privilege authenticated user to trigger server-side request forgery (SSRF) and potentially disclose information. Affected versions include 2026.1.1–202...

4.3CVSS5.9AI score0.00162EPSS